Skype bug gives attackers access to Mac OS X machines Mac users running Skype are vulnerable to self-propagating exploits that allow an attacker to gain unfettered system access by sending a specially manipulated attachment in an instant message, a hacker said. “The long and the short of it is that an attacker needs only to send a victim a message and they can gain remote control …
I expect it will sound like this:
1) you have to accept or in some other way interact with the attachment, it can;t auto-execute.
2) gaining shell access is not gaining root access.
3) root access is only gained if previously enabled (not the default, and not commonly done by accident).
4) it only works for people on your friends list
5) some settings in Skype that are not the default may need to be set, turned on/off.
6) since use of skype essentially required using a current version, by the time an ITW exploit exists, all active skype users will be patched and this attack vector will be useless.
7) though in some cases (noted) root access can be attained, installation of executable code is still not possible without further user interaction, including entering of the keychain password.
I wiped Skype off my iBook about three years ago after trying it out and finding it to be a slow, bandwidth-sucking, useless pain in the ass.
Good points, too. Basically, it'll be like someone you're talking with saying to you, "hey, I have this executable I'd like to run on your Mac. Can you give me shell access? Let me know when you've done it."
It's funny because I remember everyone saying DEP would stop all these sorts of things.
Anyway how can a bug in an application be the fault of the OS? the OS has to give applications access to services and APIs or else the application would never be able to do anything.
If this bug says anything it is that Skype (like many others) can't code OSX apps for toffee.
I agree that it is Skype's fault - such failures aren't the OS's responsibility.
However, I'd say that an OS that suffers because of an application failure of -any- sort is not very well designed or implemented. So OS X isn't entirely blameless, and neither is Windows, for similar cases.
Are there any robust OSs out there?
even catastrophic hardware failures don't crash that thing.. Has a funny way of working. Kernel is sealed in the first page of the PC ( first 64K ) . All remaining memory is essentially a ramdrive.
A program is simply copied from disk and executed. Each program is allowed a scratchfile ( in the ramdrive ) the Os sets the max size of this ramdrive. Any variables used by the program reside in this scratchfile. If a program crashes it is simply reloaded into a different 'sector' and the link is restored to its scratchfile. This scratchfile also includes a stack , heap and all other constructs. Essentially this scratchfile acts as a VM.
I had an ion-implanter (made by Eaton) running on a 386 with a full windowed graphical user interface ( There is a graphical shell on top of iRMX ) Each button or menu is essentially a standalone program that interacts with others. All of a sudden the system console pops up : Memory error at address .. (i forgot the actual addres sbut it was in the high memory ). Reloading affected elements..
and a few seconds later the system was fully operational as if nothing happened.
The fault was a defective DIMM. iRMX had trapped an unstability , moved the corrupted programs to a different 'sector' and marked that portion of the 'ramdrive' as bad. After reloading fresh copies of the affected elemetns it simply pointed them back to their runtime file and they happily took of where the previous instance failed.
The machine kept on running for many more weeks until we shut it down for a scheduled maintenance at which point the faulty dimm was replaced.
As long as the first 64K of memory does not get corrupted by physical damage you cannot crash iRMX.
iRMX lives on as InTime, a concurrent RTOS that can coexist with other OS's and runs simultaneously on multicore processors. It is used for things such as medical equipment, machine control and other 'critical' applications. the critical portion runs on a dedicated core under iRMX. this communicates with a non critical host OS and lets the host do the visualisation and user interface. Even if the host Os fails the iRMX portion remains running and maintains integrity on the system to be controlled.
Presuming Skype isn't nice enough to maintain multiple versions of the software on Macs, all the folks (including myself) still on Skype 2.8.0.863 and below will now be "forced" to upgrade to an (ahem) "improved" interface 5+ version, or suffer the impunity of a known security hole staring right at them (gazing into the void, as it were).
Including of course those on PowerPC-based machines and/or using OS X versions earlier than Leopard 10.5.8 who can't use Skype 5+ anyway.
I must try to find other workaraounds! Never surrender, cold, dead hands etc.
Do you have to have the "accept files automatically" option checked? (A stupid option, it should be got rid of.)
And do you have to have the 'Open "safe" files after downloading' option checked? (The same one which allows a denial of service attack in Safari and they Apple still haven't removed it from Safari.)
If the second option behaves in Skype as it does in Safari then it should run installer packages if you click on 'ok', and installer packages contain shell scripts.
If you run Skype in a limited user account (as I'm sure we all do), you're safe(r), right?
And probably even safer still if you don't set the options to accept and run any file that someone on the Internet sends you through IM. Bit stupid, that.
Unfortunately the bulk of the populace aren't sufficiently interested in computers/computing to realise what 'stupid' behaviour is. I'm tired of hearing OSX people telling me how unlikely it is that a user would allow permissions to do X Y or Z then seeing examples of it happening. No OS is impervious to the vulnerabilities introduced by third party software or the 'stupidty' of users who believe they are secure.
As has been said before, make something idiot proof and nature creates a better idiot.
Serious analysis of Mac attacks has identified users as the primary vector. Therefore, Apple are working on a strategy which eliminates the end-user. Expect future Apple products to rely less upon the comprehension of the user. Eventually, Apple products will be entirely self-reliant, and will utilise their in-built Jobbsian decision-making software(TM) to decide who you need to talk to and when, and what you need to say.
Something like the flappers in Swift's Laputa.
...I mean what were they thinking? were they even thinking?
That and the fact that on startup, I have 5 apps opening on login, yet skype is always the last to finish? I can even get iphoto to load before it, and that's really saying something.
Total POS. And now it's insecure too. Way to go Skype...
If Farcebook buys them (as it rumoured) you will either have users who are be default exposed, or are not exposed at all because they have left in disgust. I hope to be in the latter category if I find a decent replacement with the same or better functionality...
I don't think the Skype UI designers vomitted all over the desktop, they let it pass normally through their digestive tracts and excreted it. Skype 5 for mac isn't a pavement pizza, it's a steaming pile of poo.
Fortunately there is a much better version available. For some reason the improved version has been called Skype 2.8 for mac instead of Skype 6 for mac. I never have understood the world of product marketing.
So there's a remote code execution exploit that is of limited usability--a malicious attacker would first have to social engineer themselves into the address book OR somehow affect to remove the disallow instant messages from unknown sources restriction. Moreover, it yields shell access which isn't quite root shell access yet, on a plaform that typically doesn't even enable root access, has reasonable intrasystem firewalls and user separation, makes it easy to maintain that separation for the user, and actively warns the user not to be frivolous with admin and root rights.
Skype apparently had already noticed a crashbug that underlies this and fixed up a patch for that, but because they didn't want to scare their users and they didn't have reports of it being abused in the wild, they didn't make a lot of noise about it. Now you can quibble about that last bit (and I would, from a technical perspective), but from a business perspective it's defensible, and it allows them to say that they have released a patch that takes the sting out of this months ago, and another coming up next week.
Though it would be nice if older clients too got paches instead of forcing everybody to update to the very latest, that apparently has a wildly different interface. But the point is: As dealing with security issues goes, it's not bad a all; I'd say it's fairly well done.
...that I'm targeting a specific individual at an organisation. I do my research (LinkedIn, trade show, be imaginative). I manage to get myself on their contact list, perhaps using a spearphising attack with a simple AppleScript payload to add me to their list if I've not tricked the target into a personal relationship.
Now I initiate a conversation and exploit the vulnerability. I now have shell access. "But it's not a root shell" you say. No, but who cares! I have the victims data, private keys, whatever I want. I can drop a script in Startup Items to create a reverse SSH tunnel on a high port and I can get back in whenever I want.
As for Skype "not wanting to scare users" because they didn't have "reports of it being abused in the wild". Right. Would you even know if it had been used against you in this scenario? Would you necessarily want to report such a breach if news of it would impact on your share price? Skype's response may not be Adobe-lame, but it is lame.
I'm a Mac user. I also might be paranoid. But I cringe whenever I read comments like yours, or comments from Mactards/fanbois who exist on their little security islands.
You know, you could set up a separate user account and run programs like skype under a different uid, mitigating the access to data. Private keys ought to be stored under password and that sort of thing. The point is, you can, and it's not all that difficult to use such capabilities if you care to.
If you don't care to, then that's exactly the risk you run with any and all program that "does things" with the network. Cost of doing business and all that. You're not going to change overnight that software will have holes in it, and sometimes blatant sloppy ones to boot.
Yes, this should change --that I've been advocating too, just not in this thread-- and we've known or could have known literally for decades: EWD remarked on it, for example.
In the meantime there's the occasional hole to be dealt with, and doing that properly isn't that easy; many, many get it horribly wrong. Down to actually suing the guy reporting vulnerabilities or neglecting to fix blatant security vulnerabilities for over a decade.
I'm fairly sure this particular bug will not have been used against me because I don't use skype and don't have it installed. How others would've known, I don't know, but I did mention that I'd quibble with skype's decision not to want to scare the users for technical reasons, and that's this, pretty much. But as a business decision, it's defensible simply because of how marketing works. "Come eat cold, dead fish!" and all that.
But I say again: They've acted on earlier reports and did create a patch even though they (even if hindsight says mistakenly) believed it wasn't too big a deal, and they've promptly acted on this report and promised a patch quick-like. Of what I've seen they did was by and large constructive. It doesn't really do to slag them for that. If you believe you know better, do tell.
Oh, and FWIW I don't count myself a fanboi; main box is FreeBSD, and my trade is system administration and software engineering both. Incidentally I have seen both sides of having to fix security scares like this. You apparently have not.
I've been trying to allow execution on specific folders - though at the moment it's been a bit of a fail. I'm now thinking to just deny all execution from any user folder which would solve this problem...
and not allow any user from writing to any directory outside the the user folder...
Normally needs a mac os x server but hopefully will be able to extract the changes to implement without an os x server.
I've always thought being able to just drag apps and run them from anywhere (any platform) can lead to bad things... execution should be locked down by default...
The traditional unix way (recall darwin underneath all the proprietary gloss is plenty unix-y) is to separate the user directories out as a "mount", say as a separate disk or separate partition on disk. Then mount it noexec. It would likely be less work but more digging up of how exactly to do it with ACLs, but that also should be possible.
But skype was probably installed /by the admin/ and therefore /with admin rights/, and its binaries won't be in users' home directories. What typically happens in cases like this is that the program running in memory (which is no longer quite the same as what's on disk) gets clobbered and accidentally executes binary code that was deliberately and maliciously injected into memory, not necessarily onto disk. So noexec won't really help you here.
noexec isn't a bad idea for locking down corporate or kiosk type boxes, mind. But it won't protect against this sort of attack.
I did not say that programs installed by root will execute with root privileges. If you think I said that, turn on your brain and read again. Now that you mention it, they might, but only if set by root to do so--that's what suid does, and that of course only should be turned on if strictly necessary. Anyhow.
I did say that you can prevent users from executing programs dropped into their home directory, as dino expressed he desired to do. I even mentioned how.
I also said that this "noexec" trick does not prevent remote execution exploits as described in the main article. Moreover, I briefly sketched why.
Any questions about the above?
"...this message would have to come from someone already in your Skype Contact List, as Skype's default privacy settings will not let you receive messages from people that you have not already authorized..."
...and this would be good, if it were true.
My Skype privacy settings are all set to "People in my contact list only" but every so often, I get an IM from someone not in my contact list (typically spam). When you check in Skype's forums, you will find that this is a known issue that has been around for some time and that Skype periodically claims to have fixed it.
Would that be like McCrappee? Some sort of performance sucking bloated leechware that can turn the latest bit of kit into something slower than an Amstrad 386? As opposed to something well written and targeted that does the job with minimal overhead and doesn't decide that critical Windows DLLs are viruses every couple of months
Wonder why Intel wanted something that makes anything but the absolute latest hardware run like a PoS?
Oh, I get it...
... who needs enemies?
Seriously, if your using skype and are accepting any contact automatically and *then* accept files from them, I'm sorry, but your ... an ass.
This is a classic case of relying on the stupidity of users, which I guess is how most malware spreads these days.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
